CN117440366A - Communication method, communication device and communication system - Google Patents
Communication method, communication device and communication system Download PDFInfo
- Publication number
- CN117440366A CN117440366A CN202210821767.5A CN202210821767A CN117440366A CN 117440366 A CN117440366 A CN 117440366A CN 202210821767 A CN202210821767 A CN 202210821767A CN 117440366 A CN117440366 A CN 117440366A
- Authority
- CN
- China
- Prior art keywords
- qfi
- security policy
- security
- drb
- qos
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 158
- 238000004891 communication Methods 0.000 title claims abstract description 139
- 230000006870 function Effects 0.000 claims description 104
- 230000015654 memory Effects 0.000 claims description 35
- 238000004590 computer program Methods 0.000 claims description 12
- XHSQDZXAVJRBMX-UHFFFAOYSA-N 2-(5,6-dichlorobenzimidazol-1-yl)-5-(hydroxymethyl)oxolane-3,4-diol Chemical compound OC1C(O)C(CO)OC1N1C2=CC(Cl)=C(Cl)C=C2N=C1 XHSQDZXAVJRBMX-UHFFFAOYSA-N 0.000 claims description 4
- 238000012545 processing Methods 0.000 description 52
- 238000007726 management method Methods 0.000 description 34
- 238000005516 engineering process Methods 0.000 description 21
- 230000008569 process Effects 0.000 description 19
- 238000010586 diagram Methods 0.000 description 18
- 238000013475 authorization Methods 0.000 description 14
- 230000005540 biological transmission Effects 0.000 description 9
- 238000013461 design Methods 0.000 description 6
- 238000001914 filtration Methods 0.000 description 6
- 230000002452 interceptive effect Effects 0.000 description 6
- 238000013507 mapping Methods 0.000 description 5
- 229910044991 metal oxide Inorganic materials 0.000 description 5
- 150000004706 metal oxides Chemical class 0.000 description 5
- 238000010295 mobile communication Methods 0.000 description 5
- 239000004065 semiconductor Substances 0.000 description 5
- 238000011144 upstream manufacturing Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013523 data management Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 229910000577 Silicon-germanium Inorganic materials 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000014759 maintenance of location Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- JBRZTFJDHDCESZ-UHFFFAOYSA-N AsGa Chemical compound [As]#[Ga] JBRZTFJDHDCESZ-UHFFFAOYSA-N 0.000 description 1
- 238000012935 Averaging Methods 0.000 description 1
- LEVVHYCKPQWKOP-UHFFFAOYSA-N [Si].[Ge] Chemical compound [Si].[Ge] LEVVHYCKPQWKOP-UHFFFAOYSA-N 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical compound CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000006386 memory function Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 150000003071 polychlorinated biphenyls Chemical class 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- CSRZQMIRAZTJOY-UHFFFAOYSA-N trimethylsilyl iodide Substances C[Si](C)(C)I CSRZQMIRAZTJOY-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/02—Arrangements for optimising operational condition
Abstract
The application provides a communication method, a communication device and a communication system. Wherein the method comprises the following steps: acquiring a security policy corresponding to a quality of service flow identifier (QoS flow identifier, QFI), the security policy comprising an integrity protection and/or confidentiality protection policy; and executing security protection on a first Data Radio Bearer (DRB) corresponding to the QFI according to the security policy. Through the technical scheme provided by the application, the data security protection of the user plane based on QoS flow/DRB granularity can be realized, so that the security requirements of different types of services are met, and the accuracy of the data security protection is improved.
Description
Technical Field
The present disclosure relates to the field of wireless communications technologies, and in particular, to a communication method, a communication device, and a communication system.
Background
In a mobile communication system, a session management function (session management function, SMF) network element may provide a User Plane (UP) security policy for a PDU session during a protocol data unit (protocol data unit, PDU) session establishment procedure in order to secure traffic data transmission. Wherein the UP security policy may indicate whether UP confidentiality protection and/or UP integrity protection is activated for all Data Radio Bearers (DRBs) belonging to the PDU session.
The fifth generation mobile network (5th Generation Mobile Networks,5G) network has the characteristics of low time delay, high reliability, wide coverage and the like, and has wide application prospect in multiple fields, such as industrial fields, when 5G enters an industrial field network, the requirements on data security protection are higher for industrial equipment with coexisting service messages and functional security messages due to the difference of different message performances and importance in combination with technologies such as artificial intelligence, end-to-end network slicing and the like.
Disclosure of Invention
The embodiment of the application provides a communication method, a communication device and a communication system, which can realize the data security protection of a user plane based on QoS flow/DRB granularity so as to meet the security requirements of different types of services and improve the accuracy of the data security protection.
In a first aspect, the present application discloses a communication method, which may be applied to an access network device, a module (e.g. a chip or a processor) in the access network device, and a logic module or software capable of implementing all or part of the functions of the access network device. The following description will take an example in which the execution body is an access network device. The communication method may include: the access network equipment acquires a security policy corresponding to the quality of service flow identifier (qualityofserviceflow identifier, QFI), wherein the security policy comprises an integrity protection and/or confidentiality protection policy; and executing safety protection on the first DRB corresponding to the QFI according to the safety strategy.
According to the embodiment of the application, the security policy control of the user plane session based on the QoS flow/DRB granularity can be realized, different security policies are associated to specific QoS flows, the mapping of the QoS flows and the DRB is realized, so that different QoS flows/DRB can execute different security policies, the security protection based on the QoS flows/DRB is further realized, the security requirements of different types of services are met, and compared with the case that all QoS flows/DRB with the PDU session granularity use the same security policy, the accuracy of the security protection of service data can be improved.
One possible implementation manner, obtaining the security policy corresponding to the QFI includes: and receiving the security policy corresponding to the QFI from the SMF network element.
According to the embodiment of the application, the access network equipment acquires the security policy corresponding to the QFI, and one possible implementation manner is that the SMF network element sends the security policy corresponding to the QFI to the access network equipment, so that the access network equipment can acquire the security policy corresponding to the QFI.
One possible implementation manner, obtaining the security policy corresponding to the QFI includes: acquiring QoS attribute indication information corresponding to QFI, wherein the QoS attribute indication information indicates the quality of service guarantee adopted for the data flow; acquiring a security policy corresponding to the QoS attribute indication information; and determining the security policy corresponding to the QFI according to the QoS attribute indication information corresponding to the QFI and the security policy corresponding to the QoS attribute indication information.
According to the embodiment of the application, the access network equipment acquires the security policy corresponding to the QFI, and one possible implementation manner is that the access network equipment acquires the QoS attribute indication information corresponding to the QFI first and then acquires the security policy corresponding to the QoS attribute indication information, so that the access network equipment can determine and obtain the security policy corresponding to the QFI according to the QoS attribute indication information corresponding to the QFI and the security policy corresponding to the QoS attribute indication information.
One possible implementation manner, obtaining the security policy corresponding to the QFI includes: receiving QoS attribute indication information corresponding to QFI from SMF network element, wherein the QoS attribute indication information indicates service quality adopted for data flow; receiving a security policy corresponding to QoS attribute indication information from an application function (application function, AF) network element; and determining the security policy corresponding to the QFI according to the QoS attribute indication information corresponding to the QFI and the security policy corresponding to the QoS attribute indication information.
According to the embodiment of the application, the access network equipment can acquire the QoS attribute indication information corresponding to the QFI from the SMF network element and acquire the security policy corresponding to the QoS attribute indication information from the AF network element. In the embodiment of the present application, only the SMF network element and the AF network element are taken as examples for explanation, and the access network device may further obtain QoS attribute indication information corresponding to the QFI and a security policy corresponding to the QoS attribute indication information from other network elements.
In one possible implementation, the communication method may further include: and the access network equipment sends indication information to the terminal equipment according to the security policy, wherein the indication information is used for indicating the execution of security protection on the first DRB.
According to the embodiment of the application, the access network equipment sends the indication information to the terminal equipment, so that the terminal equipment can execute security protection on the first DRB according to the indication information. It will be appreciated that the access network device may perform security protection on the data packets carried on the first DRB. It is also understood that the DRB supports the corresponding security policies of QFI. Security protection may include integrity and/or confidentiality protection, among others. Therefore, the data security protection based on the DRB granularity can be realized, so that the security requirements of different types of services are met, and the accuracy of the data security protection is improved.
One possible implementation manner, performing security protection on the first DRB corresponding to the QFI according to the security policy includes: the access network equipment receives a first data packet from the terminal equipment through a first DRB; and executing security protection on the first data packet according to the security policy.
In the embodiment of the present application, when the terminal device needs to send an uplink data packet, for example, a first data packet, the terminal device may determine the QFI of the first data packet first, and then determine the first DRB corresponding to the QFI according to the correspondence between the QFI and the DRB. And sending the first data packet to the access network equipment on the first DRB. The access network device may determine a corresponding security policy according to the first DRB, and then perform security protection on the first data packet according to the corresponding security policy. Therefore, the data security protection based on the DRB granularity can be realized, so that the security requirements of different types of services are met, and the accuracy of the data security protection is improved.
In one possible implementation, the communication method may further include: and determining a security policy according to the QFI included in the first data packet.
After determining the QFI of the first data packet, the terminal device according to the embodiment of the present invention may optionally store the QFI tag in the packet header of the data packet, so that the access network device may determine the security policy corresponding to the QFI according to the QFI in the packet header of the first data packet, and perform security protection on the first data packet according to the corresponding security policy. Therefore, the data security protection based on the QoS flow granularity can be realized, so that the security requirements of different types of services are met, and the accuracy of the data security protection is improved.
In one possible implementation, the communication method may further include: the access network device sends the first data packet to a User Plane Function (UPF) network element through a quality of service (QoS) Flow corresponding to the QFI.
After the access network device performs the security protection on the first data packet, the access network device can send the first data packet to the UPF network element, so as to realize uplink data transmission of the user plane.
One possible implementation manner, performing security protection on the first DRB corresponding to the QFI according to the security policy includes: the access network equipment can receive a second data packet from the UPF network element through the QoS flow corresponding to the QFI; performing security protection on the second data packet according to the security policy; and sending the second data packet to the terminal equipment through the first DRB.
In the embodiment of the present application, when the UPF network element needs to send the second data packet to the access network device, the QFI of the second data packet may be determined, and the second data packet is sent to the access network device through the QoS corresponding to the QFI. The access network device receives the second data packet, can execute security protection on the second data packet based on the security policy corresponding to the QFI, and can send the second data packet to the terminal device after executing security protection on the second data packet, so as to realize downlink data transmission of the user plane. Therefore, the data security protection based on the QoS flow granularity can be realized, so that the security requirements of different types of services are met, and the accuracy of the data security protection is improved.
One possible implementation, the first DRB is capable of supporting the security policy.
In one possible implementation, the communication method may further include: the first DRB is determined from the created DRBs or created.
In the embodiment of the present application, before the access network device receives the first data packet from the terminal device through the first DRB or sends the second data packet to the terminal device through the first DRB, the first DRB may be determined first. One possible implementation determines a DRB from the created DRBs that is capable of supporting the security policy corresponding to QFI. Another possible implementation is to create a new DRB supporting the security policy corresponding to QFI. Optionally, the access network device can correspondingly associate the QFI and the DRB with the security policy, so that the data security protection of the user plane based on the QoS flow/DRB granularity can be realized, the security requirements of different types of services can be met, and the accuracy of the data security protection can be improved.
In a second aspect, the present application discloses a communication method, which may be applied to a terminal device, a module (e.g. a chip or a processor) in the terminal device, and a logic module or software capable of implementing all or part of the functions of the terminal device. The following describes an example in which the execution subject is a terminal device. The communication method may include: the terminal equipment receives indication information from the access network equipment, wherein the indication information is used for indicating to execute security protection on the first DRB, and the security protection comprises integrity and/or confidentiality protection; and executing safety protection on the first DRB according to the indication information.
According to the embodiment of the application, the security policy control of the user plane session based on the QoS flow/DRB granularity can be realized, different security policies are associated to specific QoS flows, the mapping of the QoS flows and the DRB is realized, so that different QoS flows/DRB can execute different security policies, the security protection based on the QoS flows/DRB is further realized, the security requirements of different types of services are met, and compared with the case that all QoS flows/DRB with the PDU session granularity use the same security policy, the accuracy of the security protection of service data can be improved.
It should be understood that the execution body of the second aspect may be a terminal device, where specific content of the second aspect corresponds to content of the first aspect, and corresponding features and achieved beneficial effects of the second aspect may refer to description of the first aspect, and detailed description is omitted here appropriately to avoid repetition.
One possible implementation manner, performing security protection on the first DRB according to the indication information includes: the terminal equipment executes security protection on the first data packet according to the indication information; and sending the first data packet subjected to security protection to access network equipment through the first DRB.
One possible implementation manner, performing security protection on the first DRB according to the indication information includes: the terminal equipment receives a second data packet from the access network equipment through the first DRB; and executing security protection on the second data packet according to the indication information.
In a third aspect, the present application discloses a communication method, where the communication method may be applied to an SMF network element, a module (e.g. a chip or a processor) in the SMF network element, and a logic module or software capable of implementing all or part of the SMF network element functions. The following description will take an example in which the execution body is an SMF network element. The communication method may include: the SMF network element acquires a security policy corresponding to QFI of the QoS flow; and sending the security policy corresponding to the QFI of the QoS flow to the access network equipment.
According to the embodiment of the application, the security policy control of the user plane session based on the QoS flow/DRB granularity can be realized, different security policies are associated to specific QoS flows, the mapping of the QoS flows and the DRB is realized, so that different QoS flows/DRB can execute different security policies, the security protection based on the QoS flows/DRB is further realized, the security requirements of different types of services are met, and compared with the case that all QoS flows/DRB with the PDU session granularity use the same security policy, the accuracy of the security protection of service data can be improved.
It should be understood that the implementation body of the third aspect may be an SMF network element, where specific contents of the third aspect correspond to those of the first aspect, and corresponding features and achieved beneficial effects of the third aspect may refer to the description of the first aspect, and detailed descriptions are omitted herein as appropriate to avoid repetition.
A possible implementation manner, the SMF network element obtains a security policy corresponding to QFI of the QoS flow includes: the SMF network element receives policy and charging control (policy andchargingcontrol, PCC) rules (PCC rule) from a policy control function (policy control function, PCF) network element, the PCC rules comprising QoS attribute indication information and security policies, the security policies comprising integrity protection and/or confidentiality protection policies; associating the PCC rule to the QoS flow based on the QoS attribute indication information and the security policy; the QFI corresponding security policy of the QoS flow is obtained based on the PCC rule and the QoS flow associated with the PCC rule.
In one possible implementation, associating the PCC rule to the QoS flow based on the QoS attribute indication information and the security policy includes: determining a QoS flow capable of supporting QoS attribute indicating information and a security policy from the created QoS flows or creating a QoS flow supporting the QoS attribute indicating information and the security policy; PCC rules are associated to QoS flows.
In a fourth aspect, embodiments of the present application provide a communication device. The communication device may be applied to the access network equipment, a module (e.g. a chip or a processor) in the access network equipment, and a logic module or software capable of implementing all or part of the functions of the access network equipment.
The communication device has functional units that implement the actions in the method examples of the first aspect described above. The functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above. The advantages may be seen from the description of the first aspect, which is not repeated here.
In a fifth aspect, embodiments of the present application provide a communication device. The communication device may be applied to the terminal device, a module (e.g., a chip or a processor) in the terminal device, and a logic module or software that can implement all or part of the functions of the terminal device.
The communication device has functional units that implement the actions in the method example of the second aspect described above. The functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above. The advantages may be seen from the description of the second aspect, which is not repeated here.
In a sixth aspect, embodiments of the present application provide a communication device. The communication device may be applied to an SMF network element, a module (e.g. a chip or a processor) in the SMF network element, and a logic module or software that can implement all or part of the SMF network element functions.
The communication device has functional units that implement the actions in the method example of the fifth aspect described above. The functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above. The advantages may be seen from the description of the third aspect, which is not repeated here.
In a seventh aspect, a communication apparatus is provided, where the communication apparatus may be an access network device in an embodiment of the method described above, or a chip or a processor provided in the access network device. The communication means may comprise a processor coupled to a memory for storing programs or instructions which, when executed by the processor, cause the communication means to perform the method of the above-described method embodiments performed by the access network device, or a chip or processor in the access network device.
In an eighth aspect, a communication apparatus is provided, where the communication apparatus may be a terminal device in an embodiment of the method described above, or a chip or a processor provided in the terminal device. The communication means may comprise a processor coupled to a memory for storing programs or instructions which, when executed by the processor, cause the communication means to perform the method of the above-described method embodiments performed by the terminal device, or a chip or processor in the terminal device.
In a ninth aspect, a communication device is provided, where the communication device may be an SMF network element in an embodiment of a method as described above, or a chip or a processor arranged in an SMF network element. The communication device includes a processor coupled to a memory for storing programs or instructions that, when executed by the processor, cause the communication device to perform the methods performed by the SMF network element, or a chip or processor in the SMF network element, in the method embodiments described above.
In a tenth aspect, the present application provides a computer readable storage medium having stored thereon computer instructions which, when executed by a computer program or computer instructions, cause the above methods to be performed.
In an eleventh aspect, the present application provides a computer program product comprising executable instructions which, when run on a user equipment, cause the above methods to be performed.
In a twelfth aspect, the present application provides a communication system that includes one or more of a terminal device, an access network device, an SMF network element, and/or a UPF network element.
In a thirteenth aspect, the present application provides a chip system comprising a processor for implementing the functions of the methods described above. In one possible implementation, the system on a chip may also include memory for storing program instructions and/or data. The chip system may be formed of a chip or may include a chip and other discrete devices.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that are required to be used in the description of the embodiments will be briefly described below.
Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application;
fig. 2 is a schematic diagram of a PDU session, DRB and QoS flow as disclosed in an embodiment of the present application;
fig. 3 is a schematic flow chart of a communication method according to an embodiment of the present application;
FIG. 4 is an interactive schematic diagram of another communication method provided in an embodiment of the present application;
FIG. 5 is an interactive schematic diagram of yet another communication method provided in an embodiment of the present application;
fig. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of another communication device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of still another communication device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of still another communication device according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
Detailed Description
In the description of the present application, "/" means "or" unless otherwise indicated, for example, a/B may mean a or B. The term "and/or" in this application is merely an association relation describing an association object, and means that three kinds of relations may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. Furthermore, "at least one" may refer to one or more, and "a plurality" may refer to two or more. The "first", "second", etc. do not limit the number and order of execution, and the "first", "second", etc. do not necessarily differ.
In this application, the terms "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
In the description of the present application, "indication" may include direct indication and indirect indication, and may include display indication and implicit indication. Information indicated by a certain information (indication information described below) is called information to be indicated, and in a specific implementation process, there are various ways to indicate the information to be indicated. For example, the information to be indicated may be directly indicated, such as indicating the information to be indicated itself or an index of the information to be indicated. For another example, the information to be indicated may be indirectly indicated by indicating other information, where there is an association relationship between the indicated other information and the information to be indicated. For another example, only a portion of the information to be indicated may be indicated, while other portions of the information to be indicated are known or agreed in advance. In addition, the indication of the specific information can be realized by means of the arrangement sequence of the various information which is pre-agreed (as specified by the protocol), so that the indication overhead is reduced to a certain extent.
In order to better understand a communication method proposed in the present application, a network architecture to which an embodiment of the present application is applied is described below.
The technical solution of the embodiment of the application can be applied to various communication systems, for example: global system for mobile communications (global system for mobile communication, GSM), code division multiple access (code division multiple access, CDMA), wideband code division multiple access (wideband code division multiple access, WCDMA) systems, general packet radio service (general packet radio service, GPRS), long Term Evolution (LTE) systems, LTE frequency division duplex (frequency division duplex, FDD) systems, LTE time division duplex (time division duplex, TDD) systems, universal mobile telecommunications (universal mobile telecommunications system, UMTS) systems, enhanced data rates for GSM evolution (enhanced data rate for GSM evolution, EDGE) systems, worldwide interoperability for microwave access (worldwide interoperability for microwave access, wiMAX) systems. The technical solutions of the embodiments of the present application may also be applied to other communication systems, such as a public land mobile network (public land mobile network, PLMN) system, an advanced long term evolution (LTE-a) system, a 5G system, an NR system, a machine-to-machine communication (machine to machine, M2M) system, or other communication systems that evolve in the future, which are not limited in this application.
An application scenario of the embodiment of the present application is exemplarily described below with reference to fig. 1. Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application. As shown in fig. 1, the network architecture may be, for example, a non-roaming (non-roaming) architecture. The network architecture may include the following devices, network elements, and networks:
1. terminal equipment: may be referred to as a User Equipment (UE), terminal, access terminal, subscriber unit, subscriber station, mobile station, remote terminal, mobile device, wireless communication device, terminal agent, or terminal apparatus, etc. The UE may also be a cellular phone, a cordless phone, a session initiation protocol (session initiation protocol, SIP) phone, a wireless local loop (wireless local loop, WLL) station, a personal digital assistant (personal digital assistant, PDA), a handheld device with wireless communication functionality, a computing device or other processing device connected to a wireless modem, a vehicle-mounted or wearable device, a terminal device in a future 6G network or a terminal device in a future evolved Public Land Mobile Network (PLMN), etc., an end device, a logic entity, a smart device such as a mobile phone, a smart terminal, e.g., a Virtual Reality (VR) terminal device, an augmented reality (augmented reality, AR) terminal device, a wireless terminal in an industrial control (industrial control), a wireless terminal in a unmanned aerial vehicle (self-service), a wireless terminal in a remote medical (remote media), a wireless terminal in a smart grid (smart) network, a wireless terminal in a transportation security (transportation safety), a smart meter (smart home) or a wireless gateway, a wireless network, a smart controller, a wireless internet of things, a wireless network, a wireless internet of things (internet of things), or the like. The embodiments of the present application are not limited in this regard. In the embodiment of the present application, for example, in the industrial field, the terminal device may be a client device (customer premise equipment, CPE), and the industrial terminal may be a device that specifically performs an industrial control operation, such as a temperature sensor or a mechanical arm, where such an industrial terminal generally does not have a 5G access capability, and needs to be connected to a CPE having a 5G capability, so that the industrial terminal may indirectly access to the 5G network through the CPE; alternatively, the terminal device may be an aggregate of industrial terminals and CPE that may be developed in the future, and specifically may be understood as an industrial terminal with 5G capability, etc., which is not limited in this application.
2. (radio) access network (radio access network, RAN): the network access function is provided for the authorized terminal in the specific area, and transmission tunnels with different qualities can be used according to the level of the terminal, the service requirement and the like. The access network may be an access network employing different access technologies. There are two types of current radio access technologies: third generation partnership project (3) rd Generation Partnership Project,3GPP access technologies (e.g. 4G, 5G systems)Radio access technologies employed in the system) and non-third generation partnership project (non-3 GPP) access technologies. The 3GPP access technology refers to an access technology conforming to the 3GPP standard specification, an access network employing the 3GPP access technology is called a RAN, and access network devices in the 5G system are called next generation base station nodes (nextgeneration Node Base station, gNB). The non-3GPP access technology refers to an access technology that does not conform to the 3GPP standard specification, for example, an air interface technology typified by an Access Point (AP) in wifi.
An access network implementing access network functions based on wireless communication technology may be referred to as a RAN. The RAN can manage radio resources, provide access services for the terminal, and further complete forwarding of control signals and terminal data between the terminal and the core network.
The RAN may be, for example, a base station (NodeB), an evolved base station (evolvedNodeB, eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system, an AP in a wifi system, or the like, or may be a radio controller in a Cloud Radio Access Network (CRAN) scenario, or the access network device may be a relay station, an access point, a vehicle device, a wearable device, and a network device in a future 6G network, or a network device in a future evolved PLMN network, or the like. The embodiment of the application does not limit the specific technology and the specific equipment form adopted by the wireless access network equipment.
3. Access and mobility management function (access and mobility management function, AMF) entity: the method is mainly used for mobility management, access management and the like, and can be used for realizing other functions besides session management in the functions of a mobility management entity (mobility management entity, MME), such as legal interception, access authorization/authentication and the like. In the embodiment of the application, the method and the device can be used for realizing the functions of the access and mobile management network elements.
4. Session management function (session management function, SMF) entity: the method is mainly used for session management, network interconnection protocol (internet protocol, IP) address allocation and management of terminal equipment, user plane function selection and management, termination point of policy control and charging function interface, downlink data notification and the like. In the embodiment of the application, the method and the device can be used for realizing the function of the session management network element.
5. User plane (user plane function, UPF) entity: i.e. a data plane gateway. May be used for packet routing and forwarding, or quality of service (quality of service, qoS) handling of user plane data, etc. User data may be accessed to a Data Network (DN) through the network element. In the embodiment of the application, the method and the device can be used for realizing the functions of the user plane network element.
6. Data Network (DN): for providing a network for transmitting data. Such as a network of operator services, internet network, third party service network, etc.
7. Network opening (network exposure function, NEF) entity: for securely opening services and capabilities provided by 3GPP network functions, etc., to the outside.
8. Policy control function (policy control function, PCF) entity: the method is used for carrying out policy control functions such as charging, qoS bandwidth guarantee, mobility management, terminal equipment policy decision and the like aiming at session and service flow levels. In this architecture, the PCF to which the AMF and the SMF are connected correspond to the AM PCF (PCF for Access and Mobility Control) and the AM PCF (PCFfor Session Management), respectively, and may not be the same PCF entity in the actual deployment scenario.
9. Unified data management (unified data management, UDM) entity: the method is used for processing terminal equipment identification, access authentication, registration, subscription management of mobility and the like.
10. Application function (application function, AF) entity: the method is used for carrying out data routing of application influence, accessing network elements with open functions of the network, interacting with a policy framework to carry out policy control and the like. The AF network element may communicate the demands of the application side on the network side, e.g. QoS demands or user state event subscriptions, etc. The AF network element, as an application functional entity, may further perform authorization processing through the NEF when interacting with the core network, for example, directly send a request message to the NEF, where the NEF determines whether the AF is allowed to send the request message, and if the AF passes the verification, forwards the request message to the corresponding PCF or UDM.
11. Unified data store (Unified Data Repository, UDR) entity: the method is used for unifying the data storage function. The access function of the subscription data, the policy data, the application data and other types of data is mainly responsible.
In the network architecture, N1 is an interface between an AMF entity and a UE, and is used for delivering QoS rules and the like to the UE; n2 is an interface between the AMF entity and the RAN, and is used for transmitting radio bearer control information from the core network side to the RAN, etc.; n3 is an interface between the RAN and the UPF entity, for transmitting data of the user plane, etc.; and N4 is an interface between the SMF entity and the UPF entity and is used for transmitting information between the control plane and the user plane, including controlling the issuing of forwarding rules, qoS rules, flow statistics rules and the like facing the user plane and the information reporting of the user plane. And N5 is an interface between the AF entity and the PCF entity and is used for issuing application service requests and reporting network events. N6 is an interface between the UPF entity and the DN entity, and is used for transmitting data of the user plane, etc.; n7 is an interface between the PCF entity and the SMF entity, for issuing PDU session granularity and service data flow granularity control policies; n8 is an interface between the AMF entity and the UDM entity, configured to obtain, from the AMF entity, subscription data and authentication data related to access and mobility management, and register, from the AMF entity to the UDM entity, information related to current mobility management of the UE; n10 is an interface between the SMF entity and the UDM entity, configured to obtain session management related subscription data from the UDM entity by the SMF entity, and register current session related information of the UE to the UDM entity by the SMF entity; n11 is an interface between the SMF entity and the AMF entity, and is configured to transfer PDU session tunnel information between the RAN and the UPF entity, transfer a control message sent to the UE, transfer radio resource control information sent to the RAN, and so on; n15 is an interface between the PCF entity and the AMF entity and is used for issuing UE strategies and access control related strategies; n35 is the interface between UDM entity and UDR entity, used for UDM entity to obtain user signing data information from UDR entity; n36 is an interface between the PCF entity and the UDR entity, and is used for the PCF entity to obtain policy related subscription data and application data related information from the UDR entity; n52 is an interface between the UDM entity and the NEF entity for the NEF entity to open network capabilities to third party application functions, such as third party application functions subscribing to the UDM entity for reachability events for all users in a particular group through the NEF entity. Optionally, the NEF entity has direct interfaces with the AMF entity and the SMF entity, and corresponds to an N29 interface and an N51 interface (for simplifying the illustration, not shown in fig. 1) respectively, for opening the network capability of the operator to the third party application function entity, where the former can be used for the NEF entity to directly subscribe to the AMF entity for corresponding network events and update the user configuration information, and the latter can be used for updating the application configuration data on the SMF entity/UPF entity, such as PFD (PacketFlowDescription) packet flow description information corresponding to the application id.
The user registration process may be understood as that the terminal device sends a registration request to the AMF entity through the AN, the AMF entity obtains subscription data from a specific UDM entity according to the user identifier, and the UDM entity may obtain actual subscription data from the UDR entity after receiving the request. In addition, the AMF entity may also initiate a user policy control setup request (ue policy control_create) and an access management policy control setup request (ampoliccontrol_create) to the PCF entity, for acquiring the terminal device policy and the access control policy, respectively. The PCF entity returns the access control policy to the AMF entity in the process, and provides the terminal device policy to the terminal device via the AMF entity. The session establishment procedure may be understood as that the terminal device sends a session establishment request to the AMF entity through the RAN, the AMF entity selects the SMF entity for providing services for the session, stores the corresponding relationship between the SMF entity and the PDU entity session, sends the session establishment request to the SMF entity, and the SMF entity selects the corresponding UPF entity for the terminal device, establishes a user plane transmission path, and allocates an IP address for the terminal device. In this process, the SMF entity will also initiate a policy control session establishment request to the PCF entity, for establishing a policy control session between the SMF entity and the PCF entity, and in the policy control session establishment process, the SMF entity will save the correspondence between the policy control session and the PDU session. In addition, the AF entity can also establish AF session with PCF entity, and the PCF entity binds AF session with policy control session.
It should be understood that the network architecture applied to the embodiments of the present application is merely an exemplary network architecture described from the perspective of a conventional point-to-point architecture and a service architecture, and the network architecture to which the embodiments of the present application are applicable is not limited thereto, and any network architecture capable of implementing the functions of the respective network elements described above is applicable to the embodiments of the present application.
It should also be understood that the AMF entity, SMF entity, UPF entity, DN entity, NEF entity, PCF entity, UDM entity, AF entity, UDR entity shown in fig. 1 may be understood as network elements in the core network for implementing different functions, e.g. may be combined into network slices as required. The core network elements may be independent devices, or may be integrated in the same device to implement different functions, which is not limited in this application.
Hereinafter, for convenience of explanation, an entity for implementing AMF is denoted as an access and mobility management network element, an entity for implementing SMF is denoted as a session management function network element, an entity for implementing UPF is denoted as a user plane network element, an entity for implementing DN is denoted as a data network element, an entity for implementing NEF is denoted as a network opening network element, an entity for implementing PCF is denoted as a policy control function network element, an entity for implementing UDM is denoted as a unified data management network element, an entity for implementing AF is denoted as an application function network element, and an entity for implementing UDR is denoted as a unified data storage network element. It should be understood that the above designations are used only to distinguish between different functions and should not be construed as limiting the application in any way, which does not exclude the possibility of using other designations in 6G and possibly other networks in the future. For example, in a 6G network, some or all of the individual network elements may follow the terminology in 5G, possibly by other names, etc. The description is unified herein, and will not be repeated.
It should also be understood that the names of interfaces between the network elements in fig. 1 are only an example, and the names of interfaces in the specific implementation may be other names, which are not specifically limited in this application. Furthermore, the names of the transmitted messages (or signaling) between the various network elements described above are also merely an example, and do not constitute any limitation on the function of the message itself.
The definitions of technical terms that may appear in the embodiments of the present application are given below. The terminology used in the description section of the present application is for the purpose of describing particular embodiments of the present application only and is not intended to be limiting of the present application.
(1)QoS
In order to provide different service quality for different services, the wireless network provides QoS, and QoS management is a control mechanism for the wireless network to meet different service quality requirements, which is an end-to-end process, and requires the nodes of the network experienced by the service from the initiator to the responder to cooperate together so as to ensure the service quality. The air interface QoS management feature provides different end-to-end quality of service for different needs of various services and users. QoS management is supported under both NSA (Non-Standard) networking and SA (Standalone) networking.
Currently, qoS guarantee mechanisms in 5G communications include QoS flows (flows) supporting guaranteed flow bit rates (guaranteed bit rate, GBR) and QoS flows that are not GBR (Non-GBR).
In one PDU session, qoS flows are the smallest granularity to distinguish QoS. In 5G systems, QFI is used to identify QoS flows and is unique within one PDU session, i.e. one PDU session may have multiple (up to 64) QoS flows, but the QFI for each QoS flow is different. In one PDU session, the user plane traffic flows with the same QFI use the same traffic forwarding processing (e.g. scheduling). Referring to fig. 2, fig. 2 is a schematic diagram of a PDU session, DRB and QoS flow according to an embodiment of the present application. As shown in fig. 2, at the configuration granularity, one PDU session may correspond to multiple DRBs, and the service on the same DRB may also use different service levels, i.e., qoS flows; one DRB may in turn correspond to one or more QoS flows, and the QoS configuration is QoS flow level.
In a 5G system (5G system,5 gs), qoS flows are controlled by SMF network elements of the core network, either pre-configured or session set-up and modification by PDUs. The configuration of one QoS flow may include the PDR of the UPF network element and the QoS profile (profile) of the access network device.
The PDR of the UPF network element may include an upstream PDR and a downstream PDR, which are provided by the SMF network element over the N4 interface. For an internet protocol version (IPv) 4or IPv6 or IPv4v6 PDU session, the PDR may include CN tunnel information (tunnel info), network instance (QFI), network protocol (IP) packet filter set (packet filter set), and application identification (application identifier). The CN tunnel information may be the core network address of the N3/N9 tunnel corresponding to the PDU session. The network instance is the identification information of the domain, and is used for traffic detection and routing in the UPF network element. The IP packet filtering set may include a series of parameters related to IP packet filtering. The application identity is an index of a set of application detection rules configured in the UPF network element. For an ethernet PDU session, the PDR may include CN tunnel information, network instance, QFI, and ethernet packet filter set (ethernet packet filter set). The ethernet packet filter set may include a series of parameters related to ethernet packet filtering.
The QoS profile of the access network device may be provided by the SMF network element through an N2 interface between the AMF network element and the access network device, or may be preconfigured. The QoS profile may include information as shown in table 1.
Table 1QoS profile includes information
Whether a QoS flow configured by a QoS profile is "GBR" or "Non-GBR" depends on its QoS profile. The QoS profile for each QoS flow would include 5QI and ARP. The QoS profile for each Non-GBR QoS flow may also include a RQA. The QoS profile for each GBR QoS flow may also include GFBR and MFBR. The QoS configuration for each GBR QoS flow may also include indication control and MPLR.
(2) Security policy
The security policy may include an integrity protection and/or confidentiality protection policy. It is to be appreciated that the security policy can be utilized to indicate whether and/or what security protection is to be performed. Wherein:
integrity protection: and the transmitting end performs integrity protection on the plaintext or ciphertext according to the integrity protection algorithm and the integrity protection key. The receiving end can carry out integrity verification on the data subjected to the integrity protection according to the same integrity protection algorithm and the same integrity protection key.
Confidentiality protection: and the sending end performs confidentiality protection on the plaintext or ciphertext according to a confidentiality protection algorithm and a confidentiality protection key. The receiving end can decrypt the data subjected to confidentiality protection according to the same confidentiality protection algorithm and confidentiality protection key.
It is to be understood that the above definitions of the various technical terms are provided by way of example only. For example, as technology continues to evolve, the scope of the above definition may also change, and the embodiments of the present application are not limited.
In combination with the above network architecture, a communication method provided in the embodiments of the present application is described below.
Referring to fig. 3, fig. 3 is a flow chart of a communication method according to an embodiment of the present application. Fig. 3 illustrates the method from the access network device as an execution subject, where the access network device in fig. 3 may also be a chip, a chip system, or a processor supporting the access network device to implement the method, or may also be a logic module or software capable of implementing all or part of the functions of the access network device. As shown in fig. 3, the communication method may include the following steps.
S301: the access network equipment acquires a security policy corresponding to the QFI.
QFI is an identification of QoS flows. Security policies, which may also be referred to as security protection indication information, etc., may include integrity protection and/or confidentiality protection policies. Optionally, a security policy may be used to indicate whether or not to perform/activate (active) security protection, e.g., a security policy may indicate that security protection such as required, recommended, and not required (not_required), including integrity protection and/or confidentiality protection. Optionally, a security policy may be used to indicate what security protection is performed. For example, the security policy may indicate that confidentiality protection is required and integrity protection is not required, or the security policy may indicate that confidentiality protection is recommended and integrity protection is not required, or the security policy may indicate that confidentiality protection is not required and integrity protection is required, and so on.
Alternatively, the security policy may take the form of an identifier, which may be a preset character, string, value, or the like, and the values of the different identifiers may represent different security policies. For example, the identifier is a two bit (bit) value, which when set to 00, may indicate that the security policy is that confidentiality protection is not required and integrity protection is not required; when the identifier is set to 01, it may indicate that confidentiality protection is required and integrity protection is not required; when the identifier is set to 02, confidentiality protection and integrity protection are not required; confidentiality protection and integrity protection are required when the identifier is set to 03. It will be appreciated that the above-described representation of the security policy is merely illustrative, and the present application is not limited to the representation of the security policy.
The access network device may acquire the security policy corresponding to the QFI in any one of the following possible implementations:
a first possible implementation: the session management function network element sends the security policy corresponding to the QFI to the access network device. Correspondingly, the access network equipment receives the security policy corresponding to the QFI from the session management function network element. Specifically, the session management function network element sends the QFI and the security policy to the access network device, which may also be referred to as sending the corresponding relationship between the QFI and the security policy to the access network device. In this application, other similar transmission methods are not described in detail.
A second possible implementation: the access network equipment acquires QoS attribute indication information corresponding to QFI, wherein the QoS attribute indication information indicates the quality of service guarantee adopted for the data flow; and acquiring the security policy corresponding to the QoS attribute indicating information, and determining the security policy corresponding to the QFI according to the QoS attribute indicating information corresponding to the QFI and the security policy corresponding to the QoS attribute indicating information. In one embodiment, a session management function network element sends QoS attribute indication information corresponding to QFI to an access network device, and accordingly, the access network device receives the QoS attribute indication information corresponding to QFI from the session management function network element; the application function network element sends the security policy corresponding to the QoS attribute indication information to the access network device, and correspondingly, the access network device receives the security policy corresponding to the QoS attribute indication information from the application function network element.
S302: and the access network equipment executes security protection on the first DRB corresponding to the QFI according to the security policy.
After the access network device obtains the security policy corresponding to the QFI, security protection can be performed on the first DRB corresponding to the QFI according to the security policy. It will be appreciated that the access network device may perform security protection on the data packets carried on the first DRB. It is also understood that the first DRB supports the corresponding security policy of QFI. Security protection may include integrity and/or confidentiality protection, among others.
For example, the security policy indicates that security protection is required, the access network device may determine that the first DRB corresponding to the QFI opens confidentiality protection and/or integrity protection, and for example, the security policy indicates that security protection is recommended, the access network device may determine that the first DRB corresponding to the QFI opens confidentiality protection and/or integrity protection or that the first DRB corresponding to the QFI does not open confidentiality protection and/or integrity protection, and for example, the security policy indicates that security protection is not required, and the access network device may determine that the first DRB corresponding to the QFI does not open confidentiality protection and/or integrity protection.
For example, the security policy is used to indicate that confidentiality protection is required and integrity protection is not required, and then the access network device may determine that the first DRB corresponding to QFI has confidentiality protection enabled and integrity protection not enabled. For another example, the security policy may be used to indicate that confidentiality protection is recommended and integrity protection is not required, and the access network device may determine that the first DRB corresponding to the QFI does not open confidentiality protection and does not open integrity protection, or the access network device may determine that the first DRB corresponding to the QFI does not open confidentiality protection and does not open integrity protection. For another example, the security policy may be used to indicate that confidentiality protection is not required and that integrity protection is required, the access network device may determine that the first DRB corresponding to QFI does not open confidentiality protection and open integrity protection, and so on.
According to the embodiment of the application, the security policy control based on the DRB granularity of the user plane session can be realized, different security policies are corresponding to different DRBs, and further the data security protection based on the DRB granularity is realized, so that the security requirements of different types of services are met, and compared with the case that all DRBs with the PDU session granularity use the same security policy, the accuracy of the security protection of service data can be improved.
Referring to fig. 4, fig. 4 is an interaction schematic diagram of a communication method according to an embodiment of the present application. The communication method shown in fig. 4 is a refined embodiment based on fig. 3. It should be understood that the term interpretation of the various embodiments in this application may be referenced to each other. To avoid redundancy in description, different embodiments may not be repeated for the same terminology. The present embodiment may be applied to the first possible implementation manner of the access network device in step S301 to obtain the security policy corresponding to the QFI. In fig. 4, the method is illustrated by taking the terminal device, the access network device, the UPF network element, the SMF network element, and the PCF network element as the execution bodies of the interactive schematic, but the application is not limited to the execution bodies of the interactive schematic. For example, the terminal device in fig. 4 may also be a chip, a chip system, or a processor that supports the terminal device to implement the method, or may be a logic module or software that can implement all or part of the functions of the terminal device; the access network device in fig. 4 may also be a chip, a chip system, or a processor that supports the access network device to implement the method, or may be a logic module or software that can implement all or part of the functions of the access network device; the UPF network element in fig. 4 may also be a chip, a system on chip, or a processor that supports the UPF network element to implement the method, or may be a logic module or software that can implement all or part of the UPF network element functions; the SMF network element in fig. 4 may also be a chip, a system-on-chip, or a processor that supports the SMF network element to implement the method, or may be a logic module or software that can implement all or part of the SMF network element functions; the PCF network element in fig. 4 may also be a chip, a system-on-chip, or a processor supporting the PCF network element to implement the method, or may be a logic module or software capable of implementing all or part of the PCF network element functions. As shown in fig. 4, the communication method may include the following steps S401 to S415, wherein steps S412 to S415 are optional steps.
S401: the PCF network element sends PCC rules including QoS attribute indication information and security policy to the SMF network element. Accordingly, the SMF network element receives PCC rules from the PCF network element including QoS attribute indication information and security policies.
The PCF network element may determine the PCC rule before sending the PCC rule including the QoS attribute indication information and the security policy to the SMF network element. Specifically: the PCF network element may receive a policy authorization request from the AF network element, and further generate PCC rules according to the policy authorization request.
The AF network element can firstly carry out policy grouping according to the service type of the terminal equipment, and then send a policy authorization request to the PCF network element. Specifically: the AF network element performs policy grouping according to the service type of the terminal device, for example, the industrial field enabling service (Industry Field Enable Service, IFES) of the AF network element can acquire the full topology relationship of the field network of the operation technology (Operation Technology, OT) network, and performs policy grouping on various service messages supported by the industrial terminal device. Wherein each set of policies may correspond to service description information, security policies, and/or QoS attribute indication information, etc.
The service description information may be understood as related parameters of the service, and the service related parameters may include at least one of the following: the type of service (e.g., voice service, or video service, etc.), the identity of the service (e.g., IP address of the service, port number of the service, or application identity, etc.), the characteristics of the service (e.g., small data service, or broadband service, etc.), the identity of the terminal device executing the service, etc. The identification of the terminal device may include, for example, but is not limited to: international mobile equipment identity (international mobile equipment identity, IMEI), international mobile subscriber identity (international mobile subscriber identification number, IMSI), IP multimedia subsystem private user identity (IMS (IP multimedia subsystem) private user identity, IMPI), temporary mobile user identity (temporary mobile subscriber identity, TMSI), IP multimedia public identity (IP multimedia public identity, IMPU), media access control (media access control, MAC) address, IP address, handset number, globally unique UE identity (globally unique temporary UE identity, GUTI) (e.g., 5G GUTI for 5G, in particular), permanent identity (subscription permanent identifier, SUPI), hidden identity (subscriber concealed identifier, sui) or permanent device identity (permanent equipment identifier, PEI).
The QoS attribute indication information may be used to characterize the quality of service guarantee employed for the data flow. For example, the QoS attribute indication information may be 5QI, i.e., for some QoS features, represented by a vector value, it being understood that 5QI may index a set of QoS attributes and their values. For example, 5 qi=1, it may indicate that the Resource Type (Resource Type) is a guaranteed stream bit rate (guaranteed bit rate, GBR) Type, the Priority value (Priority Level) is 20, the packet delay budget (Packet Delay Budget) parameter is 100ms, …, and the default average window (Default Averaging Window) is to be defined. Or, for example, the QoS attribute indication information may be one or more QoS attributes and values thereof directly issued, or, for example, the QoS attribute indication information may be 5QI and one or more QoS attributes and values thereof, and in this application, the 5QI and/or one or more QoS attributes and values thereof may be collectively referred to as QoS attribute indication information, which will not be described in detail later.
In one embodiment, group a may include functional security services, where the security policy is that integrity protection is required, and the QoS attribute indication information is 5QI1; group B may include real-time traffic, the security policy is absent (it may be understood that confidentiality protection is not required and integrity protection is not required), and the QoS attribute indication information corresponding to different service periods may be 5QI2/5QI3/5QI4; group C may include non-real time traffic with security policies of confidentiality protection and integrity protection, qoS attribute indication information of 5QI5; group D may include encryption related traffic, security policy is that confidentiality protection is required, qoS attribute indication information is 5QI6, etc.
After the AF network element performs policy grouping according to the service type of the terminal equipment, a policy authorization request can be sent to the PCF network element. In one possible implementation manner, the AF network element may send policy authorization requests of multiple terminal devices in batches to the NEF network element in advance, where the requests may include an identifier of the terminal device, service flow information, qoS attribute indication information of each service flow, and/or a corresponding security policy, and an exemplary specific structure may be: terminal equipment identity- > Service Data Flow (SDF) - > QoS attribute indication information- > security policy. The policy authorization request can be saved in the UDR network element by the NEF network element, and when the PCF network element receives the policy association establishment request message from the SMF network element, the policy authorization request corresponding to the pre-configured terminal device can be obtained from the UDR network element based on the terminal device identifier, and further a PCC rule can be generated. In another possible implementation manner, when receiving a service request from a certain terminal device, the AF network element may send a policy authorization request for the terminal device to the PCF network element. In yet another possible implementation, when a certain service request is received, the AF network element may send a policy authorization request for the service data flow to the PCF network element.
The PCF network element may receive a policy authorization request from the AF network element, where the policy authorization request may include service description information, qoS attribute indication information, and a security policy, and the PCF may determine the PCC rule after receiving the policy authorization request. The PCC rule is a set of rule information for detecting SDFs and policy and charging control for traffic data flows. For example, PCC rules may be used to include detecting which traffic data flow an IP packet belongs to, identifying the traffic to which the traffic data flow belongs, providing available charging parameters for the traffic data flow, providing policy control for the traffic data flow, etc., where policy control may include QoS attribute indication information and security policies. In one embodiment, the PCC rules may include a number of parameters, such as packet filter set (Packet Filter Set), qoS attribute indication information, priority (precedence), security policy, upstream and downstream maximum bit rate (UL and DL Maximum Flow Bit Rate), upstream and downstream guaranteed stream bit rate (UL and DL Guaranteed Flow Bit Rate), allocation and retention priority (allocation and retention priority, ARP), qoS notification control (QoS notification control, QNC), and the like. Wherein:
a packet filter set (Packet Filter Set) for describing a service data flow range used by the PCC rule, and may be matched by an internet protocol (Internet Protocol, IP) five tuple (source IP address, destination IP address, protocol number, source port and destination port) or an application identifier;
Priority, which is used to indicate the priority of the PCC rule, i.e., the priority handling when a data flow may be matched to multiple PCC rules.
S402: the SMF network element associates PCC rules to QoS flows.
Before sending QFI of QoS flow and security policy corresponding to QFI to access network equipment, SMF network element can obtain security policy corresponding to QFI of QoS flow first, namely obtain corresponding relation between QFI and security policy. Specifically: after the SMF network element receives the PCC rule including the QoS attribute indication information and the security policy from the PCF network element in step S401, the PCC rule may be associated to the QoS flow based on the QoS attribute indication information and the security policy, and then the security policy corresponding to the QFI of the QoS flow may be obtained based on the PCC rule and the QoS flow associated with the PCC rule.
Wherein the SMF network element associates the PCC rule to the QoS Flow, it is further understood that the SMF network element performs QoS Flow binding (QoS Flow binding) based on the PCC rule. It is further understood that the SMF network element may perform QoS flow binding based on some or all of the plurality of parameters in the PCC rule.
In particular, the SMF network element may associate PCC rules to the QoS flow based on the QoS attribute indication information and the security policy. In one possible implementation, the SMF network element may determine, from the created QoS flows, a QoS flow capable of supporting the QoS attribute indication information and the security policy described above, and associate the PCC rule to the QoS flow. In another possible implementation, the SMF network element may create a new QoS flow supporting the QoS attribute indication information and security policy described above and associate the PCC rule to the created QoS flow.
Specifically, the SMF network element may determine, based on information such as 5QI, ARP, and security policy in the PCC rule, whether an existing QoS flow may provide the 5QI, ARP, and security policy required in the PCC rule, and if so, the SMF network element may associate the PCC rule to the QoS flow; if not, the SMF network element may create a new QoS flow based on information based on 5QI, ARP, security policy, etc. in the PCC rule and associate the PCC rule to the new QoS flow.
S403: the SMF network element sends QFI of QoS flow and security policy corresponding to QFI to the access network device. Accordingly, the access network device receives the QFI and the corresponding security policy of the QFI of the QoS flow from the SMF network element.
After the SMF network element associates the PCC rule with the QoS flow, i.e. after the QoS flow binding is completed, the SMF network element may send the QFI, which is the identifier of the QoS flow, and the security policy corresponding to the QFI to the access network device. Specifically, the SMF network element may send the QFI and a QoS Profile (QoS Profile) corresponding to the QFI to the access network device, where the QoS Profile may include some or all parameters of multiple parameters in the PCC rule issued by the PCF network element, for example, qoS attribute indication information (e.g. 5 QI) and a security policy. An exemplary specific structure may be QFI < -QoS Profile (5 QI, security policy).
S404: and the access network equipment executes security protection on the first DRB corresponding to the QFI according to the security policy.
After the access network device obtains the security policy corresponding to the QFI, that is, after the access network device receives the QFI from the SMF network element and the security policy corresponding to the QFI, the first DRB corresponding to the QFI may be determined according to the security policy. One possible implementation determines a first DRB from the created DRBs that is capable of supporting the security policy corresponding to QFI. Another possible implementation way is to create a new first DRB supporting the corresponding security policy of QFI. An exemplary correspondence may be expressed as QFI < -5QI < -DRB < -Security policy. It is understood that the same DRB may correspond to one QoS flow or may correspond to a plurality of QoS flows.
S405: the access network equipment sends the corresponding relation between the QFI and the first DRB to the terminal equipment. Correspondingly, the terminal equipment receives the corresponding relation between the QFI from the access network equipment and the first DRB.
After the access network device determines the first DRB corresponding to the QFI, the corresponding relationship between the QFI and the first DRB may be sent to the terminal device.
S406: the access network device sends indication information for indicating the execution of security protection on the first DRB to the terminal device according to the security policy. Accordingly, the terminal device receives indication information from the access network device for indicating to perform security protection on the first DRB.
The access network device may send, according to a security policy corresponding to the QFI, indication information to the terminal device, where the indication information is used to indicate to perform security protection on the first DRB corresponding to the QFI.
It can be understood that, the foregoing sending, by the access network device, the correspondence between the QFI and the DRB to the terminal device and the sending, by the terminal device, the indication information for indicating the security protection of the DRB may be sent by different messages, or may be sent by the same message, that is, S405 and S406 may be the same step, or different steps, and the execution sequence is not limited in this application. One possible implementation may be that the same message is the same RRC configuration message and the different messages may be two RRC configuration messages.
The information transferred from the control plane interface in steps S401 to S406 may be a process when the security policy is issued or activated, and generally occurs before the data stream is transmitted. The following steps S407 to S415 may be processing of the user plane transport data stream. The implementation manner of sending the uplink data packet in step S407 to step S411 is specifically described as follows:
s407: the terminal equipment determines a first DRB corresponding to the QFI of the first data packet.
When the terminal device needs to send a first data packet (uplink data packet) to the access network device, the QFI of the first data packet may be determined first. The terminal device receives QFI from the SMF network element and QoS rules corresponding to the QFI, wherein the QoS rules are used for the terminal device to associate the first data packet to the corresponding QFI, and the QoS rules comprise a packet filtering set (Packet Filter Set) and matching priority information (Precedence). Determining the QFI of the first data packet according to QFI and QFI corresponding QoS rules, specifically: the terminal device may match QoS rules corresponding to the first data packet according to the traffic flow information and the packet filtering set of the first data packet, determine QFI of the first data packet according to a correspondence between QFI and QoS rules, and determine the first data packet corresponds to the first DRB according to a correspondence between QFI and the first DRB. It should be understood that the correspondence between the first data packet and the first DRB refers to the transmission of the first data packet through the first DRB.
S408: and the terminal equipment executes security protection on the first data packet corresponding to the first DRB according to the indication information.
The terminal device performs security protection on the first data packet corresponding to the first DRB according to the indication information (specifically, see the indication information in step S405), where the security protection may be, for example, performing integrity protection, confidentiality protection, or both integrity protection and confidentiality protection. For example, confidentiality protection may be encryption processing of the first data packet.
S409: and the terminal equipment sends a first data packet to the access network equipment through the first DRB. Accordingly, the access network device receives the first data packet from the terminal device through the first DRB.
The terminal device may map the QoS flow of the first data packet to the first DRB, and after performing security protection on the first data packet corresponding to the first DRB according to the indication information, may send the first data packet to the access network device through the first DRB.
S410: the access network device performs security protection on the first data packet according to the security policy.
After the access network device receives the first data packet from the terminal device, the access network device may perform security protection on the first data packet according to a security policy, and may have the following implementation manner:
the first implementation mode: the access network device receives the first data packet from the terminal device through the first DRB, can determine the security policy corresponding to the first DRB according to the identifier of the first DRB, and then executes security protection on the first data packet according to the security policy. Specifically: in step S403, the access network device receives the QFI from the SMF network element and the security policy corresponding to the QFI, and in step S405, after determining the correspondence between the QFI and the first DRB, the access network device may establish the relationship between the first DRB and the security policy through the QFI, and store the correspondence between the first DRB and the security policy. After the access network device receives the first data packet through the first DRB, the security policy corresponding to the first DRB may be determined according to the identifier of the first DRB, so that security protection may be implemented on the first data packet according to the security policy.
The second implementation mode: optionally, the first data packet may include a QFI, which is an identification of the QoS flow. The access network equipment receives a first data packet from the terminal equipment through the first DRB, wherein the first data packet comprises QFI, the access network equipment can determine a security policy corresponding to the QFI according to the QFI in the first data packet, and the access network equipment performs security protection on the first data packet according to the corresponding security policy.
The access network device performing security protection on the first data packet and the terminal device performing security protection on the first data packet may correspond to each other. It is understood that, for example, the terminal device performs security protection on the first data packet by encrypting and/or integrity protecting the first data packet, and the access network device performs security protection on the first data packet by decrypting and/or integrity checking the first data packet.
S411: the access network device sends the first data packet to the UPF network element through the QoS flow corresponding to the first DRB. Accordingly, the UPF network element receives the first data packet from the access network device through the QoS flow corresponding to the first DRB.
The access network device receives a first data packet from the terminal device, and after safety protection is carried out on the first data packet, the first data packet can be sent to the UPF network element, so that uplink data transmission of a user plane is realized.
Step S412 to step S415 are implementation manners of transmitting the downlink data packet, and are specifically described as follows:
s412: the UPF network element determines a QFI of the second data packet.
When the UPF network element receives a downlink data packet, such as a second data packet, the QFI of the second data packet may be determined first. Specifically: the UPF network element receives a QFI from the SMF network element and QoS rules corresponding to the QFI, the QoS rules for the UPF network element to associate the second data packet to the corresponding QFI, the QoS rules including a packet filter set (Packet Filter Set), matching priority information (Precedence). The QFI of the second data packet is determined according to the QFI and the QoS rule corresponding to the QFI, specifically, the UPF network element may match the QoS rule corresponding to the second data packet according to the traffic flow information and the packet filtering set of the second data packet, and determine the QFI of the second data packet according to the corresponding relationship between the QFI and the QoS rule.
S413: the UPF network element sends the second data packet to the access network equipment through the QoS flow corresponding to the QFI. Accordingly, the access network device receives the second data packet from the UPF network element through the QoS flow corresponding to the QFI.
After the UPF network element determines the QFI of the second data packet, the second data packet may be sent to the access network device through the QoS flow corresponding to the QFI. Alternatively, the second data packet may include a QFI.
S414: the access network device executes security protection on the second data packet based on the security policy corresponding to the QFI.
The access network device performs security protection on the second data packet based on the security policy corresponding to the QFI, and may have the following implementation manner:
the first implementation mode: the access network device receives the second data packet from the UPF network element through the QoS flow corresponding to the QFI, and in step S403, the access network device receives the QFI from the SMF network element and the security policy corresponding to the QFI, so that the access network device may determine the corresponding security policy according to the QFI of the QoS flow, and then perform security protection on the second data packet according to the corresponding security policy.
The second implementation mode: the access network device receives a second data packet from the UPF network element through the QoS flow corresponding to the QFI, where the second data packet includes the QFI, and in step S403, the access network device receives the QFI from the SMF network element and the security policy corresponding to the QFI, so that the access network device may determine the security policy corresponding to the QFI according to the QFI in the second data packet, and perform security protection on the second data packet according to the corresponding security policy, where the security protection may be, for example, performing integrity protection, or confidentiality protection, or both integrity protection and confidentiality protection. For example, confidentiality protection may be encryption processing of the first data packet.
S415: and the access network equipment sends a second data packet to the terminal equipment through the first DRB corresponding to the QFI. Correspondingly, the terminal equipment receives the second data packet from the access network equipment through the first DRB corresponding to the QFI.
The access network device receives the second data packet from the UPF network element, and after performing security protection on the second data packet, the access network device can send the second data packet to the terminal device, so as to realize downlink data transmission of the user plane. After receiving the second data packet, the terminal device may perform security protection on the second data packet. The terminal device performing security protection on the second data packet and the access network device performing security protection on the second data packet may correspond to each other. It is understood that, for example, the access network device performs security protection on the second data packet by encrypting and/or integrity protecting the second data packet, and the terminal device performs security protection on the second data packet by decrypting and/or integrity checking the second data packet.
It will be appreciated that the present application is not limited to the order of execution of the steps in the embodiments described above. According to the embodiment of the application, the security policy control of the user plane session based on the QoS flow/DRB granularity can be realized, different security policies are associated to specific QoS flows, the mapping of the QoS flows and the DRB is realized, so that different QoS flows/DRB can execute different security policies, the security protection based on the QoS flows/DRB is further realized, the security requirements of different types of services are met, and compared with the case that all QoS flows/DRB with the PDU session granularity use the same security policy, the accuracy of the security protection of service data can be improved.
In combination with the above network architecture, another communication method provided in the embodiments of the present application is described below.
Referring to fig. 5, fig. 5 is an interaction schematic diagram of a communication method according to an embodiment of the present application. The communication method shown in fig. 5 is a refined embodiment based on fig. 3. It should be understood that the term interpretation of the various embodiments in this application may be referenced to each other. To avoid redundancy in description, different embodiments may not be repeated for the same terminology. The present embodiment may be applied to the second possible implementation manner of the access network device in step S301 to obtain the security policy corresponding to the QFI. In fig. 5, the method is illustrated by taking a terminal device, an access network device, a UPF network element, an SMF network element, and an AF network element as an execution body of the interactive schematic, but the application is not limited to the execution body of the interactive schematic. For example, the terminal device in fig. 5 may also be a chip, a chip system, or a processor that supports the terminal device to implement the method, or may be a logic module or software that can implement all or part of the functions of the terminal device; the access network device in fig. 5 may also be a chip, a chip system, or a processor that supports the access network device to implement the method, or may be a logic module or software that can implement all or part of the functions of the access network device; the UPF network element in fig. 5 may also be a chip, a system on chip, or a processor that supports the UPF network element to implement the method, or may be a logic module or software that can implement all or part of the UPF network element functions; the SMF network element in fig. 5 may also be a chip, a system-on-chip, or a processor that supports the SMF network element to implement the method, or may be a logic module or software that can implement all or part of the SMF network element functions; the AF network element in fig. 5 may also be a chip, a system-on-chip, or a processor supporting the AF network element to implement the method, or may also be a logic module or software capable of implementing all or part of the functions of the AF network element. As shown in fig. 5, the communication method may include the following steps S501 to S515. Among them, steps S512 to S515 are optional steps.
S501: and the AF network element sends the security policy corresponding to the QoS attribute indication information to the access network equipment. Correspondingly, the access network equipment receives the security policy corresponding to the QoS attribute indication information from the AF network element.
The AF network element can firstly carry out policy grouping according to the service type of the terminal equipment, and then send the security policy corresponding to the QoS attribute indication information to the access network equipment. It can be appreciated that the specific description of the policy grouping performed by the AF network according to the service type of the terminal device may refer to the above step S401, and will not be repeated here.
The AF network sends the security policy corresponding to the QoS attribute indication information to the access network device, and an exemplary specific structure may be: 5QI1- > Security policy 1;5QI2/5QI3/5QI4- > Security policy 2;5QI5- > Security policy 3;5QI6- > Security policy 4, etc. The implementation manner of the security policy corresponding to the QoS attribute indication information sent by the AF network element to the access network device can be as follows:
one possible implementation: the AF network element may send, by using 5GC, a security policy corresponding to the QoS attribute indication information to the access network device, for example, the AF network element may send, by using network elements such as NEF/PCF/SMF, a security policy corresponding to the QoS attribute indication information to the access network device.
Another possible implementation: the AF network element may send, to the access network device (e.g., RAN), a security policy corresponding to the QoS attribute indication information through an API opened by the access network device (e.g., RAN) operation administration maintenance system (Operation Administration and Maintenance, OAM). For example, the AF network element obtains the access network device (such as gNB/cell) where the terminal device is currently located based on the capability open architecture, and sends the security policy corresponding to the QoS attribute indication information to the OAM of the access network device.
It may be understood that the above description only uses an AF network element as an example, and the security policy corresponding to the QoS attribute indication information received by the access network device may also come from other network elements, which is not limited in this embodiment of the present application.
S502: and the SMF network element sends QoS attribute indication information corresponding to the QFI to the access network equipment. Accordingly, the access network device receives QoS attribute indication information corresponding to the QFI from the SMF network element.
The SMF network element may perform QoS Flow binding (QoS Flow binding) before sending QoS attribute indication information corresponding to the QFI to the access network device. It is understood that the SMF network element performs QoS flow binding based on PCC rules or the SMF network element associates PCC rules to QoS flows. Specifically, the SMF network element may receive an authorized PCC rule from the PCF network element, which in one embodiment may include a number of parameters, such as packet filter set (Packet Filter Set), qoS attribute indication information, priority (precedence), security policy, upstream and downstream maximum bit rate (UL and DL Maximum Flow Bit Rate), upstream and downstream guaranteed stream bit rate (UL and DL Guaranteed Flow Bit Rate), ARP, QNC, etc. The SMF network element performs QoS flow binding based on the PCC rule, which may be specifically described with reference to step S401.
After finishing the binding of the QoS flow, the SMF network element can send QoS attribute indication information corresponding to QFI to the access network equipment, wherein QFI is the identifier of the QoS flow. Specifically, the SMF network element may send the QFI and a QoS Profile (QoS Profile) corresponding to the QFI to the access network device, where the QoS Profile may include some or all parameters of a plurality of parameters in the PCC rule issued by the PCF network element, for example, qoS attribute indication information (e.g. 5 QI). An exemplary specific structure may be QFI < -QoS Profile (5 QI).
It may be understood that the foregoing description only uses an SMF network element as an example, and QoS attribute indication information corresponding to the QFI received by the access network device may also come from other network elements, which is not limited in this embodiment of the present application.
S503: the access network equipment determines the security policy corresponding to the QFI according to the QoS attribute indication information corresponding to the QFI and the security policy corresponding to the QoS attribute indication information.
The access network device receives the security policy corresponding to the QoS attribute indication information and the QoS attribute indication information corresponding to the QFI, and may determine the security policy corresponding to the QFI according to the QoS attribute indication information corresponding to the QFI and the security policy corresponding to the QoS attribute indication information. Illustratively, 5QI1- > Security policy 1, QFI1- >5QI1, then QFI1- >5QI1- > Security policy 1.
S504: and the access network equipment executes security protection on the first DRB corresponding to the QFI according to the security policy.
After the access network device obtains the security policy corresponding to the QFI, that is, after the access network device determines the security policy corresponding to the QFI according to the QoS attribute indication information corresponding to the QFI and the security policy corresponding to the QoS attribute indication information, the access network device may determine the first DRB corresponding to the QFI according to the security policy. The access network device determines the first DRB corresponding to the QFI according to the security policy, which is specifically described above with reference to step S404.
S505: the access network equipment sends the corresponding relation between the QFI and the first DRB to the terminal equipment. Correspondingly, the terminal equipment receives the corresponding relation between the QFI from the access network equipment and the first DRB.
After the access network device determines the first DRB corresponding to the QFI, the corresponding relationship between the QFI and the first DRB may be sent to the terminal device.
S506: the access network device sends indication information for indicating the execution of security protection on the first DRB to the terminal device according to the security policy. Accordingly, the terminal device receives indication information from the access network device for indicating to perform security protection on the first DRB.
It is to be understood that the specific step S506 may refer to the step S406, and is not repeated herein.
The information transferred by the control plane interface in steps S501 to S506 may be a process when the security policy is issued or activated, and generally occurs before the data stream is transmitted. The following steps S507 to S515 may be processing of the user plane transport data stream. The implementation manner of sending the uplink data packet in the steps S507 to S511 is specifically described as follows:
s507: the terminal equipment determines a first DRB corresponding to the QFI of the first data packet.
S508: and the terminal equipment executes security protection on the first data packet corresponding to the first DRB according to the indication information.
S509: and the terminal equipment sends a first data packet to the access network equipment through the first DRB. Accordingly, the access network device receives the first data packet from the terminal device through the first DRB.
S510: the access network device performs security protection on the first data packet according to the security policy.
S511: the access network device sends the first data packet to the UPF network element through the QoS flow corresponding to the first DRB. Accordingly, the UPF network element receives the first data packet from the access network device through the QoS flow corresponding to the first DRB.
It is understood that the descriptions of the specific steps S507 to S511 may refer to the steps S407 to S411, and are not repeated herein. Step S512 to step S515 are implementation manners of transmitting the downlink data packet, and are specifically described as follows:
S512: the UPF network element determines a QFI of the second data packet.
S513: the UPF network element sends the second data packet to the access network equipment through the QoS flow corresponding to the QFI. Accordingly, the access network device receives the second data packet from the UPF network element through the QoS flow corresponding to the QFI.
S514: the access network device executes security protection on the second data packet based on the security policy corresponding to the QFI.
S515: and the access network equipment sends a second data packet to the terminal equipment through the first DRB corresponding to the QFI. Correspondingly, the terminal equipment receives the second data packet from the access network equipment through the first DRB corresponding to the QFI.
It will be appreciated that the specific steps S512 to S515 may be described with reference to the above steps S412 to S415, and are not repeated herein.
It will be appreciated that the present application is not limited to the order of execution of the steps in the embodiments described above. According to the embodiment of the application, the security policy control of the user plane session based on the QoS flow/DRB granularity can be realized, different security policies are associated to specific QoS flows, the mapping of the QoS flows and the DRB is realized, so that different QoS flows/DRB can execute different security policies, the security protection based on the QoS flows/DRB is further realized, the security requirements of different types of services are met, and compared with the case that all QoS flows/DRB with the PDU session granularity use the same security policy, the accuracy of the security protection of service data can be improved.
The method embodiments provided by the embodiments of the present application are described above, and the embodiments of the apparatus related to the embodiments of the present application are described below.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a communication apparatus provided in the embodiment of the present application, where the communication apparatus may be applied to an access network device, a module (e.g., a chip or a processor) in the access network device, and a logic module or software capable of implementing all or part of functions of the access network device. Illustratively, as shown in fig. 6, the communication device 600 may include: an acquisition unit 601 and a processing unit 602; wherein:
an obtaining unit 601, configured to obtain a security policy corresponding to the QFI, where the security policy includes an integrity protection and/or confidentiality protection policy;
and a processing unit 602, configured to perform security protection on the first DRB corresponding to the QFI according to the security policy.
In one embodiment, the obtaining unit 601 is specifically configured to receive the security policy corresponding to the QFI from a session management function network element.
In one embodiment, the obtaining unit 601 is specifically configured to:
acquiring QoS attribute indication information corresponding to the QFI, wherein the QoS attribute indication information indicates the quality of service guarantee adopted for the data flow;
Acquiring the security policy corresponding to the QoS attribute indication information;
and determining the security policy corresponding to the QFI according to the QoS attribute indication information corresponding to the QFI and the security policy corresponding to the QoS attribute indication information.
In one embodiment, the communication device 600 may further include:
and a transceiver unit 603, configured to send, to a terminal device, indication information according to the security policy, where the indication information is used to indicate to perform security protection on the first DRB.
In one embodiment, the processing unit 602 is specifically configured to:
receiving a first data packet from a terminal device through the first DRB;
and executing security protection on the first data packet according to the security policy.
In an embodiment, the processing unit 602 is further configured to determine the security policy according to the QFI included in the first data packet.
In one embodiment, the transceiver unit 603 is further configured to send the first data packet to a user plane function network element through a QoS flow corresponding to the QFI.
In one embodiment, the processing unit 602 is specifically configured to:
receiving a second data packet from a user plane function network element through a QoS flow corresponding to the QFI;
Performing security protection on the second data packet according to the security policy;
and sending the second data packet to terminal equipment through the first DRB.
In one embodiment, the first DRB is capable of supporting the security policy.
In an embodiment, the processing unit 602 is further configured to determine the first DRB from the created DRBs or create the first DRB.
For more detailed descriptions of the acquiring unit 601, the processing unit 602, and the transceiver unit 603, reference may be directly made to the related descriptions of the access network device in the method embodiments shown in fig. 3 to fig. 5, which are not repeated herein.
Referring to fig. 7, fig. 7 is a schematic structural diagram of another communication apparatus provided in the embodiment of the present application, where the communication apparatus may be applied to a terminal device, a module (e.g., a chip or a processor) in the terminal device, and a logic module or software capable of implementing all or part of functions of the terminal device. As shown in fig. 7, the communication device 700 may include: a transceiver unit 701 and a processing unit 702; wherein:
a transceiver unit 701, configured to receive indication information from an access network device, where the indication information is used to indicate that security protection is performed on the first DRB, where the security protection includes integrity and/or confidentiality protection;
A processing unit 702, configured to perform security protection on the first DRB according to the indication information.
In one embodiment, the processing unit 702 is specifically configured to:
performing security protection on the first data packet according to the indication information;
and sending the first data packet subjected to security protection to the access network equipment through the first DRB.
In one embodiment, the processing unit 702 is specifically configured to:
receiving, by the first DRB, a second data packet from the access network device;
and executing security protection on the second data packet according to the indication information.
For more detailed descriptions of the transceiver unit 701 and the processing unit 702, reference may be directly made to the related descriptions of the terminal device in the method embodiments shown in fig. 3 to fig. 5, which are not repeated herein.
Referring to fig. 8, fig. 8 is a schematic structural diagram of another communication device according to an embodiment of the present application, where the communication device may be applied to an SMF network element, a module (e.g., a chip or a processor) in the SMF network element, and a logic module or software capable of implementing all or part of the functions of the SMF network element. Illustratively, as shown in fig. 8, the communication device 800 may include: a transceiver unit 801 and a processing unit 802; wherein:
A transceiver unit 801, configured to receive a policy and charging control rule from a policy control function network element, where the policy and charging control rule includes quality of service QoS attribute indication information and a security policy, and the security policy includes an integrity protection and/or confidentiality protection policy;
a processing unit 802, configured to associate the policy and charging control rule to a QoS flow based on the QoS attribute indication information and the security policy;
the transceiver 801 is further configured to send the security policy corresponding to the QFI of the QoS flow to an access network device.
In one embodiment, the processing unit 802 is specifically configured to:
determining the QoS flow which can support the QoS attribute indicating information and the security policy from the created QoS flows or creating the QoS flow which supports the QoS attribute indicating information and the security policy;
the policy and charging control rules are associated to the QoS flows.
For more detailed descriptions of the transceiver unit 801 and the processing unit 802, reference may be directly made to the related descriptions of the SMF network elements in the method embodiments shown in fig. 3 to 5, which are not described herein.
Referring to fig. 9, fig. 9 is a schematic structural diagram of another communication device according to an embodiment of the present application. Illustratively, as shown in fig. 9, the apparatus 900 may include one or more processors 901, where the processors 901 may also be referred to as processing units and may implement certain control functions. The processor 901 may be a general purpose processor or a special purpose processor, etc. For example, a baseband processor or a central processing unit. The baseband processor may be used to process communication protocols and communication data, and the central processor may be used to control communication devices (e.g., base stations, baseband chips, terminals, terminal chips, DUs or CUs, etc.), execute software programs, and process data of the software programs.
In an alternative design, the processor 901 may also have instructions 903 stored therein, where the instructions 903 may be executed by the processor, so that the apparatus 900 performs the method described in the method embodiment above.
In another alternative design, a transceiver unit for implementing the receive and transmit functions may be included in processor 901. For example, the transceiver unit may be a transceiver circuit, or an interface circuit, or a communication interface. The transceiver circuitry, interface or interface circuitry for implementing the receive and transmit functions may be separate or may be integrated. The transceiver circuit, interface or interface circuit may be used for reading and writing codes/data, or the transceiver circuit, interface or interface circuit may be used for transmitting or transferring signals.
In yet another possible design, apparatus 900 may include circuitry to implement the functions of transmitting or receiving or communicating in the foregoing method embodiments.
Optionally, the apparatus 900 may include one or more memories 902, on which instructions 904 may be stored, which may be executed on the processor, to cause the apparatus 900 to perform the methods described in the method embodiments above. Optionally, the memory may further store data. In the alternative, the processor may store instructions and/or data. The processor and the memory may be provided separately or may be integrated. For example, the correspondence described in the above method embodiments may be stored in a memory or in a processor.
Optionally, the apparatus 900 may further comprise a transceiver 905 and/or an antenna 906. The processor 901 may be referred to as a processing unit for controlling the apparatus 900. The transceiver 905 may be referred to as a transceiver unit, a transceiver circuit, a transceiver device, a transceiver module, or the like, for implementing a transceiver function.
Alternatively, the apparatus 900 in the embodiments of the present application may be used to perform the methods described in fig. 3-5 in the embodiments of the present application.
In one embodiment, the communication apparatus 900 may be applied to an access network device, a module (e.g., a chip or a processor) in the access network device, and a logic module or software that can implement all or part of the functions of the access network device. When the computer program instructions stored in the memory 902 are executed, the processor 901 is configured to control the obtaining unit 601 and the processing unit 602 to perform the operations performed in the above embodiments, the transceiver 905 is configured to perform the operations performed by the transceiver unit 603 in the above embodiments, and the transceiver 905 is also configured to transmit information to a communication device other than the communication device. The above access network device or the modules in the access network device may also be used to execute the various methods executed by the access network device in the embodiments of the methods shown in fig. 3 to 5, which are not described herein.
In one embodiment, the communication apparatus 900 may be applied to a terminal device, a module (e.g., a chip or a processor) in the terminal device, and a logic module or software that can implement all or part of the functions of the terminal device. When the computer program instructions stored in the memory 902 are executed, the processor 901 is configured to control the processing unit 702 to perform the operations performed by the transceiver unit 701 in the above embodiment, and the transceiver 905 is configured to transmit information to a communication device other than the communication device. The terminal device or the module in the terminal device may also be used to execute the various methods executed by the terminal device in the embodiments of the methods of fig. 3 to 5, which are not described herein.
In one embodiment, the communication device 900 may be applied to an SMF network element, a module (e.g., a chip or a processor) in the SMF network element, and a logic module or software that can implement all or part of the SMF network element functions. When the computer program instructions stored in the memory 902 are executed, the processor 901 is configured to control the processing unit 802 to perform the operations performed in the above embodiments, the transceiver 905 is configured to perform the operations performed by the transceiver unit 801 in the above embodiments, and the transceiver 905 is also configured to transmit information to a communication device other than the communication device. The above SMF network element or the modules in the SMF network element may also be used to execute the various methods executed by the SMF network element in the embodiments of the methods of fig. 3 to 5, which are not described herein.
The processors and transceivers described herein may be implemented on integrated circuits (integrated circuit, ICs), analog ICs, radio Frequency Integrated Circuits (RFICs), mixed signal ICs, application specific integrated circuits (application specific integrated circuit, ASICs), printed circuit boards (printed circuit board, PCBs), electronic devices, and the like. The processor and transceiver may also be fabricated using a variety of IC process technologies such as complementary metal oxide semiconductor (complementary metal oxide semiconductor, CMOS), N-type metal oxide semiconductor (NMOS), P-type metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (Bipolar Junction Transistor, BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
The apparatus described in the above embodiment may be the first terminal device or the second terminal device, but the scope of the apparatus described in the present application is not limited thereto, and the structure of the apparatus may not be limited by fig. 9. The apparatus may be a stand-alone device or may be part of a larger device. For example, the device may be:
(1) A stand-alone integrated circuit IC, or chip, or system-on-a-chip or subsystem;
(2) Having a set of one or more ICs, which may optionally also include storage means for storing data and/or instructions;
(3) An ASIC, such as a modem (MSM);
(4) Modules that may be embedded within other devices;
(5) Receivers, terminals, smart terminals, cellular telephones, wireless devices, handsets, mobile units, vehicle devices, network devices, cloud devices, artificial intelligence devices, machine devices, home devices, medical devices, industrial devices, etc.;
(6) Others, and so on.
Referring to fig. 10, fig. 10 is a schematic structural diagram of a terminal device according to an embodiment of the present application. For convenience of explanation, fig. 10 shows only major components of the terminal device. As shown in fig. 10, the terminal device 1000 includes a processor, a memory, a control circuit, an antenna, and an input-output device. The processor is mainly used for processing the communication protocol and the communication data, controlling the whole terminal, executing the software program and processing the data of the software program. The memory is mainly used for storing software programs and data. The radio frequency circuit is mainly used for converting a baseband signal and a radio frequency signal and processing the radio frequency signal. The antenna is mainly used for receiving and transmitting radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, keyboards, etc., are mainly used for receiving data input by a user and outputting data to the user.
When the terminal is started, the processor can read the software program in the storage unit, analyze and execute the instructions of the software program and process the data of the software program. When data is required to be transmitted wirelessly, the processor carries out baseband processing on the data to be transmitted and then outputs a baseband signal to the radio frequency circuit, and the radio frequency circuit processes the baseband signal to obtain a radio frequency signal and transmits the radio frequency signal outwards in the form of electromagnetic waves through the antenna. When data is transmitted to the terminal, the radio frequency circuit receives a radio frequency signal through the antenna, the radio frequency signal is further converted into a baseband signal, and the baseband signal is output to the processor, and the processor converts the baseband signal into data and processes the data.
For ease of illustration, fig. 10 shows only one memory and processor. In an actual terminal, there may be multiple processors and memories. The memory may also be referred to as a storage medium or storage device, etc., and embodiments of the present application are not limited in this regard.
As an alternative implementation manner, the processor may include a baseband processor, which is mainly used to process the communication protocol and the communication data, and a central processor, which is mainly used to control the whole terminal, execute a software program, and process the data of the software program. The processor in fig. 10 integrates the functions of a baseband processor and a central processing unit, and those skilled in the art will appreciate that the baseband processor and the central processing unit may be separate processors, interconnected by bus technology, etc. Those skilled in the art will appreciate that a terminal may include multiple baseband processors to accommodate different network formats, and that a terminal may include multiple central processors to enhance its processing capabilities, with various components of the terminal being connectable via various buses. The baseband processor may also be expressed as a baseband processing circuit or a baseband processing chip. The central processing unit may also be expressed as a central processing circuit or a central processing chip. The function of processing the communication protocol and the communication data may be built in the processor, or may be stored in the storage unit in the form of a software program, which is executed by the processor to realize the baseband processing function.
In one example, an antenna and a control circuit having a transmitting/receiving function can be regarded as a transmitting/receiving unit 1001 of the terminal device 1000, and a processor having a processing function can be regarded as a processing unit 1002 of the terminal device 1000. As shown in fig. 10, the terminal device 1000 includes a transceiving unit 1001 and a processing unit 1002. The transceiver unit may also be referred to as a transceiver, transceiver device, etc. Alternatively, a device for implementing a receiving function in the transceiver unit 1001 may be regarded as a receiving unit, and a device for implementing a transmitting function in the transceiver unit 1001 may be regarded as a transmitting unit, that is, the transceiver unit 1001 includes a receiving unit and a transmitting unit. For example, the receiving unit may also be referred to as a receiver, a receiving circuit, etc., and the transmitting unit may be referred to as a transmitter, a transmitting circuit, etc. Alternatively, the receiving unit and the transmitting unit may be integrated together, or may be a plurality of independent units. The receiving unit and the transmitting unit may be located in one geographical location or may be distributed among a plurality of geographical locations.
In one embodiment, the processing unit 1002 is configured to perform the operation performed by the processing unit 702 in the above embodiment, and the transceiver unit 1001 is configured to perform the operation performed by the transceiver unit 701 in the above embodiment. The terminal device 1000 may also be used to execute various methods executed by the terminal device in the embodiments of the methods of fig. 3-5, which are not described herein.
The embodiment of the application also provides a computer readable storage medium, on which a computer program is stored, where the program, when executed by a processor, can implement a procedure related to a terminal in the communication method provided in the above method embodiment.
The embodiment of the application also provides a computer readable storage medium, on which a computer program is stored, where the program when executed by a processor can implement a flow related to a network device in the communication method provided in the above method embodiment.
Embodiments of the present application also provide a computer program product which, when run on a computer or processor, causes the computer or processor to perform one or more steps of any of the communication methods described above. The respective constituent modules of the above-mentioned apparatus may be stored in the computer-readable storage medium if implemented in the form of software functional units and sold or used as independent products.
The embodiment of the application further provides a chip system, which comprises at least one processor and a communication interface, wherein the communication interface and the at least one processor are interconnected through a line, and the at least one processor is used for running a computer program or instructions to execute part or all of the steps of any one of the method embodiments corresponding to the above-mentioned fig. 3-5. The chip system can be composed of chips, and can also comprise chips and other discrete devices.
The embodiment of the application also discloses a communication system, which comprises one or more devices such as terminal equipment, access network equipment, SMF network elements, UPF network elements and/or the like, and the specific description can refer to the communication methods shown in fig. 3-5.
It should be understood that the memories mentioned in the embodiments of the present application may be volatile memories or nonvolatile memories, or may include both volatile and nonvolatile memories. The nonvolatile memory may be a hard disk (HDD), a Solid State Drive (SSD), a read-only memory (ROM), a Programmable ROM (PROM), an Erasable Programmable ROM (EPROM), an electrically erasable programmable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (DR RAM). The memory is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory in the embodiments of the present application may also be circuitry or any other device capable of implementing a memory function for storing program instructions and/or data.
It should also be appreciated that the processors referred to in the embodiments of the present application may be central processing units (central processing unit, CPU), but may also be other general purpose processors, digital signal processors (digital signal processor, DSP), application specific integrated circuits (application specific integrated circuit, ASIC), off-the-shelf programmable gate arrays (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Note that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, the memory (storage module) is integrated into the processor.
It should be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the technology or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
The steps in the method of the embodiment of the application can be sequentially adjusted, combined and deleted according to actual needs.
The modules/units in the device of the embodiment of the application can be combined, divided and deleted according to actual needs.
The above embodiments are merely for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.
Claims (21)
1. A method of communication, comprising:
acquiring a security policy corresponding to a quality of service (QFI), wherein the security policy comprises an integrity protection policy and/or a confidentiality protection policy;
and executing security protection on the first data radio bearer DRB corresponding to the QFI according to the security policy.
2. The method of claim 1, wherein the obtaining the security policy corresponding to QFI comprises:
And receiving the security policy corresponding to the QFI from a session management function network element.
3. The method of claim 1, wherein the obtaining the security policy corresponding to QFI comprises:
acquiring QoS attribute indicating information corresponding to the QFI, wherein the QoS attribute indicating information indicates the quality of service guarantee adopted for the data flow;
acquiring the security policy corresponding to the QoS attribute indication information;
and determining the security policy corresponding to the QFI according to the QoS attribute indication information corresponding to the QFI and the security policy corresponding to the QoS attribute indication information.
4. A method according to any one of claims 1-3, wherein the method further comprises:
and sending indication information to the terminal equipment according to the security policy, wherein the indication information is used for indicating the execution of security protection on the first DRB.
5. The method according to any one of claims 1-4, wherein performing security protection on the first DRB corresponding to the QFI according to the security policy comprises:
receiving a first data packet from a terminal device through the first DRB;
and executing security protection on the first data packet according to the security policy.
6. The method of claim 5, wherein the method further comprises:
and determining the security policy according to the QFI included in the first data packet.
7. The method according to claim 5 or 6, characterized in that the method further comprises:
and sending the first data packet to a user plane function network element through the QoS corresponding to the QFI.
8. The method of any one of claims 1-7, wherein performing security protection on the first DRB corresponding to the QFI according to the security policy comprises:
receiving a second data packet from a user plane function network element through a QoS flow corresponding to the QFI;
performing security protection on the second data packet according to the security policy;
and sending the second data packet to terminal equipment through the first DRB.
9. The method of claims 1-8, wherein the first DRB is capable of supporting the security policy.
10. The method according to claim 9, wherein the method further comprises:
the first DRB is determined from the created DRBs or created.
11. A method of communication, comprising:
Receiving indication information from an access network device, wherein the indication information is used for indicating to perform security protection on a first Data Radio Bearer (DRB), and the security protection comprises integrity and/or confidentiality protection;
and executing safety protection on the first DRB according to the indication information.
12. The method of claim 11, wherein the performing security protection on the first DRB based on the indication information comprises:
performing security protection on the first data packet according to the indication information;
and sending the first data packet subjected to security protection to the access network equipment through the first DRB.
13. The method of claim 11 or 12, wherein the performing security protection on the first DRB according to the indication information comprises:
receiving, by the first DRB, a second data packet from the access network device;
and executing security protection on the second data packet according to the indication information.
14. A method of communication, comprising:
receiving a policy and charging control rule from a policy control function network element, wherein the policy and charging control rule comprises quality of service (QoS) attribute indication information and a security policy, and the security policy comprises an integrity protection and/or confidentiality protection policy;
Associating the policy and charging control rule to a QoS flow based on the QoS attribute indication information and the security policy;
and sending the security policy corresponding to the QFI of the QoS flow to access network equipment.
15. The method of claim 14, wherein the associating the policy and charging control rule to a QoS flow based on the QoS attribute indication information and the security policy comprises:
determining the QoS flow which can support the QoS attribute indicating information and the security policy from the created QoS flows or creating the QoS flow which supports the QoS attribute indicating information and the security policy;
the policy and charging control rules are associated to the QoS flows.
16. A communication device comprising one or more functional units for performing the communication method according to any of claims 1-10; or alternatively
A communication method according to any one of claims 11-13; or alternatively
A method of communication as claimed in any one of claims 14 to 15.
17. A communication device comprising a processor, a memory, an input interface for receiving information from a communication device other than the communication device, and an output interface for outputting information to a communication device other than the communication device, the stored computer program stored in the memory, when called by the processor, causing the device to perform the communication method of any one of claims 1-10; or alternatively
A communication method according to any one of claims 11-13; or alternatively
A method of communication as claimed in any one of claims 14 to 15.
18. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program or computer instructions which, when executed by a processor, implement the communication method according to any of claims 1-10; or alternatively
A communication method according to any one of claims 11-13; or alternatively
A method of communication as claimed in any one of claims 14 to 15.
19. A computer program product comprising program instructions which, when run on a computer, implement the communication method of any of claims 1-10; or alternatively
A communication method according to any one of claims 11-13; or alternatively
A method of communication as claimed in any one of claims 14 to 15.
20. A communication system comprising one or more of a terminal device, an access network device, a session management function network element, and/or a user plane function network element.
21. A system on a chip comprising at least one processor, a memory, and an interface circuit, wherein the memory, the interface circuit, and the at least one processor are interconnected by a line, and wherein the at least one memory has instructions stored therein; the instructions, when executed by the processor, implementing the communication method according to any of claims 1-10; or alternatively
A communication method according to any one of claims 11-13; or alternatively
A method of communication as claimed in any one of claims 14 to 15.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210821767.5A CN117440366A (en) | 2022-07-13 | 2022-07-13 | Communication method, communication device and communication system |
| PCT/CN2023/105370 WO2024012299A1 (en) | 2022-07-13 | 2023-06-30 | Communication method, communication apparatus, and communication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210821767.5A CN117440366A (en) | 2022-07-13 | 2022-07-13 | Communication method, communication device and communication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117440366A true CN117440366A (en) | 2024-01-23 |
Family
ID=89535517
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210821767.5A Pending CN117440366A (en) | 2022-07-13 | 2022-07-13 | Communication method, communication device and communication system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN117440366A (en) |
| WO (1) | WO2024012299A1 (en) |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109600339B (en) * | 2017-09-30 | 2022-01-11 | 华为技术有限公司 | Communication method, device and system |
| WO2019095209A1 (en) * | 2017-11-16 | 2019-05-23 | Zte Corporation | Method and computing device for carrying out data integrity protection |
| CN110557786B (en) * | 2018-05-31 | 2022-04-05 | 华为技术有限公司 | Method and device for establishing radio bearer and monitoring service flow |
-
2022
- 2022-07-13 CN CN202210821767.5A patent/CN117440366A/en active Pending
-
2023
- 2023-06-30 WO PCT/CN2023/105370 patent/WO2024012299A1/en unknown
Also Published As
| Publication number | Publication date |
|---|---|
| WO2024012299A1 (en) | 2024-01-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113691969B (en) | Communication method and device | |
| US9386480B2 (en) | Systems and methods for providing LTE-based backhaul | |
| US11811670B2 (en) | Packet delay parameter obtaining method, system, and apparatus | |
| US10887821B2 (en) | Transmitting small and infrequent communication data between, on the one hand, a plurality of internet-of-things communication devices, and, on the other hand, a mobile communication network | |
| US11659446B2 (en) | Systems and methods for providing LTE-based backhaul | |
| WO2017209367A1 (en) | Method for performing authentication of terminal for each service in wireless communication system, and device therefor | |
| CN106470465B (en) | WIFI voice service initiating method, LTE communication equipment, terminal and communication system | |
| CN113038590B (en) | Time synchronization method, electronic device, and storage medium | |
| US20220124500A1 (en) | Communication method, terminal device and network device | |
| CN117279037A (en) | Communication method and device | |
| CN115443723A (en) | Multipath transmission method and device, network equipment and terminal | |
| TW202013936A (en) | Wireless communication method and communication device | |
| EP4262258A1 (en) | Method and apparatus for generating security context, and computer-readable storage medium | |
| WO2022000171A1 (en) | Wireless communication method, terminal device, and network device | |
| US20230328596A1 (en) | Handover for Communication Networks | |
| WO2021062765A1 (en) | Information transmission method and device | |
| WO2022194262A1 (en) | Security communication method and apparatus | |
| WO2023001003A1 (en) | Communication method and communication apparatus | |
| US20220248319A1 (en) | Method for wireless communication and device | |
| CN117440366A (en) | Communication method, communication device and communication system | |
| KR20230011294A (en) | Method and apparatus for transmitting and receiving signals in a wireless communication system | |
| WO2023160390A1 (en) | Communication method and apparatus | |
| WO2023202337A1 (en) | Communication method and apparatus | |
| WO2017200172A1 (en) | Method for performing security setup for user equipment in wireless communication system and device therefor | |
| CN117062055A (en) | Security protection method and communication device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |